You‘ve heard about the advantages of the cloud, so you’ve gone ahead and set up your company’s email in Office 365 and have been using it very happily a while. But, you keep reading stories about hackers and other unpleasant characters trying to break in and steal your data, or send spam emails or, any other of the nefarious things people do to unsecured Office 365 tenancies. Therefore, you ask yourself “What should I do to stop these bad people?” Well, here are some steps you can take to stay secure. 

Create a new named admin account for yourself

Login to the Office 365 admin portal  and create a new user account.

When creating a named admin account, you want to name it something easily recognisable and attributable to a user. For example this could be done by adding _Admin as a suffix to your username, but feel free to use whatever you think works well in the context of your company. As an example of this, if your day-to-day account is BobSmith@domain.com  then you should create your new admin account as something along the lines of BobSmith_Admin@domain.com  

Add the new user account to the Global Admins (GA) group. 

Setup Multi Factor Authentication (MFA) for this user and check you can login using it (using a browser incognito window is our favourite method of testing this). 

DO NOT USE THIS ACCOUNT FOR DAY-TO-DAY WORK. You should have a separate “daily driver” account to use for checking emails, working on documents, etc. You should never perform day-to-day work using your admin account (you should not even have an Office license assigned to it, both to avoid doing work with it and save money). 

Once you are confident your new admin account is working, log in with it. 

Create a Break Glass account

Next, we are going to create an emergency access account (more commonly known as a Break Glass account). 

Once you’re logged into the Office 365 admin portal with your newly created admin account create a new account with a non-user specific name, Something like Office365Breakglass@domain.onmicrosoft.com  

You may have noticed that the domain (all the text after the @ symbol) is different from our previous admin’s login account. The reason we use the Microsoft supplied domain and not the main vanity domain name is to make sure that there will be no domain or federation issues when logging in in with this account.  

Setup MFA for the account is a little tricky as Microsoft’s best practice for this is to specify a different method for MFA than the other users utilize. So, if your users currently use the Authenticator app, you should use a FIDO2 key for the Break Glass account. The only problem with this is when the Azure AD Authentication service goes down as it did a few years ago, and not even your Break Glass account can now login. So, some people make the choice to not enable MFA on their break glass accounts. This all depends on what you fear more; if it’s malicious people then use MFA or if it’s getting locked out of Office 365 leave MFA disabled. 

Either way you should print off the username and password and put them somewhere very safe and secure. 

Remove extra Global admins

Once you have some named admin accounts and a Break Glass account setup, go and look at who is a member of the Global Admins group.  

Ideally, it should only contain named Admin Accounts and Break Glass accounts. If you see Jim from HR account is a member, double check why exactly they are a member of Global admins (top tip, the answer “I couldn’t get stuff to work so I got the old guy to add me”, is not a valid justification) and unless they have a very good answer they should be removed. 

Make sure Audit logging is enabled for the tenancy

Next, we want to make sure that Audit logging is enabled on our tenancy. Audit logging allows us to see who is doing what and is invaluable to working out what is going on in  your tennancy. 

Still logged in as your new admin account, navigate to https://compliance.microsoft.com. In the left-hand pane look for Audit and click it. If auditing is not enabled, you will see a long blue button saying, “Start recording user and admin activity”. Click it to enable auditing. If that button is not present, then auditing is already enabled, and you don’t need to do anything else. 

From here you can start delving into the audit logs and see what is going on. A good few things to check are:  

  • Determine if a user deleted email items in their mailbox. 
  • Determine who set up email forwarding for a mailbox. 
  • Determine if a user created an inbox rule. 
  • Investigate why there was a successful login by a user outside your organisation. 

Find Apps using Legacy Authentication and update them

Legacy authentication (sometimes referred to as legacy auth) is bad. It is old and insecure and there are better ways of authenticating to Office 365. It is basically a way if signing into Microsoft Office 365 services that doesn’t support MFA.  

Here are some fun stats about legacy auth; it is used in more than 99% of password spray attacks, and 97% of credential stuffing attacks. Microsoft data says that a tenancy that has disabled legacy authentication suffers approximately 70% less account compromises than one with legacy auth still enabled. 

So, we’ve looked at the stats and thought “I don’t want to be sprayed or stuffed, how to do I get rid of legacy auth?” 

Well, the way to check if you are using legacy auth is to sign into any of the Office 365 services is to do the following steps: 

  • Navigate to the Azure portal > Azure Active Directory > Sign-ins. 
  • Add the Client App column if it isn’t shown by clicking on Columns > Client App. 
  • Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box. 
  • If you’ve activated the new sign-in activity reports preview, repeat the above steps also on the User sign-ins (non-interactive) tab. 

If legacy auth is being used it will generate a list of user and logins  

Using this list, you can find the user and upgrade whatever old app they’re using (I’m looking at you iPhone mail app). 

Once you’ve fixed everyone’s old software and there are no more sign-ins using legacy auth you can use a Conditional Access Policy to block any apps from connecting, except if they use modern authentication, or you can disable specific legacy auth types from the Org Settings menu of the Office 365 Admin Center. 

Remove old users for fun and profit

I lied, removing users isn’t fun, but it can be profitable (well it will save you money). We see Office 365 tenancies all the time with stale users (a user account that has not logged in for more than 90 days). Which means if the user has a Microsoft 365 Business Premium license assigned to their account you’ve wasted nearly £50 per user just because someone forgot to do some admin. 

To find stale users, login to the admin portal and navigate to Reports -> Usage -> Active Users 

Then scroll down the page and order the columns by your desired criteria (I usually find “Last activity date for exchange” give pretty good results as almost all users use email daily”). 

In the above example we can see users who’ve never accessed emails, and some who’ve not accessed emails in over 18 months! 

You could also export these results and play around with them in Excel but for our example we’ll just use the built-in reports. 

Once you have a list of users simply head back to Users -> Active Users in the admin portal, select the users and click delete. 

Once the users have been deleted you can remove the excess licenses and save some money! 

  • In the admin center, go to the Billing > Your products page. 
  • On the Products tab, find the subscription for which you want to buy or remove licenses. Select the three dots (more actions), then select Buy licenses. 
  • If you want to reduce the number of licenses, at the top of the Buy licenses pane, select remove licenses. 
  • To buy or remove licenses, under New quantity in the Total licenses box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95. 

Next Steps

These tips will hopefully have an impact on the security and cost of your Office 365 tenancy, but they are by no means the only things you can do. When we onboard a new client, we have an exhaustive 30+ step procedure to check that the client’s tenancy is as secure and cost effective as possible.  

If you would like us to perform an Office 365 health and wellbeing check, please contact with the form below.